Step by Step Process: Signing and Timestamping Java JAR File
Steps to Sign and Timestamp a Java Jar File
Here’s the step-by-step guide to Sign and Timestamp a Jar File.
Step 1: After locating the certificate in your browser, export it with the private key while including all the certificates in the chain and exporting extended properties. A password will be required and .PFX will be the file format.
Step 2: Be sure to install and use the latest version of JDK.
Step 3: Run the command below once you create a .bat file:
keytool.exe -importkeystore -srckeystore ExportedCertificateFileExample.pfx -srcstoretype pkcs12 -destkeystore KeystoreFileExample -deststoretype JKS
This will create KeystoreFileExample
Step 4: Run this command to get the alias value assigned by Comodo:
keytool.exe -list -storepass YourPassword -keystore KeystoreFileExample -v
Note: Your Password is the same which you entered in Step-3.
Step 5: For signing JAR use this syntax:
jarsigner.exe -keypass KeyPasswordExample -keystore KeystoreFileExample -storepass YourStorePassword -tsa https://timestamp.comodoca.com/rfc3161 -digestalg SHA-1 JarNameFile.jar YourAliasString
Password will be the same as used in Step-3.
Note:
- Store password and key can be different.
- -digestalg can be the algorithm you choose like, SHA-1 or SHA-256
Step 6: If you want, verify the signed jar using this command:
jarsigner.exe -verify -verbose -certs JarNameFile.jar
One thing to note is that timestamps should comply with the Time-Stamping Protocol (RFC3161) if you want to Timestamp with Jarsigner. So, it’s better to use a timestamp URL https://support.comodo.com/index.php?/Knowledgebase/Article/View/68/0/time-stamping-server with Jarsigner.